Because monitoring sensitive information inside the application is a top priority, the market’s best SIEMs have all built LOGbinder integration into their product. These products deserve special mention for their proactive approach to information security. Here’s the list of SIEM solutions that built their custom integration for LOGbinder:

LOGbinder developed the LOGbinder integration for ArcSight ESM many years ago to meet market demand. Many organizations are including Splunk into their Security Operations so we developed the Splunk App for LOGbinder, a new free product that has been well-received (thanks for your feedback!).

More SIEMs are taking an interest and tell us they, too, will be providing their own integration. We’ll let you know when that happens.

All three of our applications posted updates in 2015 that included new event IDs. These updates with their new event ID collection don’t take place in a vacuum. Make sure your SIEM knows about the new events and what their impact may be on your use-case(s). For example, the latest Exchange compatibility release added more than 50 new events – and led us to update our Recommended Reports and Alerts Designs for LOGbinder for Exchange.

Customers with current support and maintenance contracts all got major updates to their Exchange, SharePoint and SQL Server audit solutions in 2015. Advances in LOGbinder technology brought reduced performance draw on monitored environments as well as improved speed in delivering critical events to the SIEM.

We keep a log of those updates at https://www.logbinder.com/Support/History. Some of the updates were to address bugs, but most of them introduced performance improvements and new event ID collection.

"This is the official LOGbinder page for tracking the Exchange  24-hour mailbox audit bug. You can keep up with everything my team knows and  is doing by checking this page often.” – Randy Franklin Smith

LOGbinder bulletin, December 14, 2015 -- While investigating a support case, LOGbinder discovered a non-obvious yet critical bug in Exchange audit logging that essentially delays your ability to detect non-owner mailbox access for 24 hours. The PowerShell cmdlets New-MailboxAuditLogSearch and Search-MailboxAuditLog produce audit search results that are unpredictable and inconsistent when auditing all mailboxes and the start date is less than 24 hours ago.

We have notified Microsoft about the problem and they have confirmed it as a bug but have told us that they have no timeline for a bug fix. The bug affects Exchange Server 2010, 2013 and 2016.

What is the risk?

The risk to you is that you may never know you have an Exchange Server data breach – despite performing regular audits.

This strikes to the very core of application security audit. Not only is a 24-hour audit delay 24 hours too long, audit integrity is absolutely critical to security intelligence operations.

Details about the Bug

We encourage you to watch an 8-minute clip of our recent Exchange mailbox audit webinar embedded below. In this clip we discuss specifics about the bug and how it could be affecting you.

Here are the highlights about the bug:

• The bug returns unpredictable results when auditing all mailboxes: you may get no events at all when there are events, you may get only a few events, or you may get all matching events as you should. 
• Unless you are looking for specific events repeatedly – or you audit your audit results – you will never notice the problem. 
• The bug is not documented. We have reported this issue to Microsoft; they have confirmed it is a bug and said they have no solution timeline to share. Microsoft’s suggested workaround is to use a date range greater than 24 hours.

LOGbinder’s View on this Issue

The bug introduces a huge business, compliance and security impact. It is simply unacceptable to be unable to detect or respond to information theft for 24 hours. Security audits need to be available in seconds, not minutes! A delay brings compliance issues and prevents organizations from handling Edward Snowden-like information grabs before the culprit is out of reach.

We believe that you need to get audit results off the system (or application) where they are generated as fast as possible, without causing harm to the application or system while using least privilege.

What LOGbinder is Doing

Our development team is solving the problem. To ensure audit integrity we have released an update to our Exchange audit solution that all customers should download and begin using immediately. LOGbinder for Exchange 3.1 allows customers to choose whether they wish to perform audits in less than 24 hours, but defaults to the delay that we know will provide all the audit results requested. Click here to download: https://www.logbinder.com/Form/LBEXDownload

But LOGbinder for Exchange 3.1 is only the first phase of the ultimate solution. We are working with Microsoft and the Exchange Server community to raise awareness of the issue to get it to the top priority within Microsoft.

Exchange Server’s audit function is quite good. Leaving the bug aside, few applications make such an effort to audit events. Microsoft deserves a lot of credit (more than they usually get) for embedding both an admin and mailbox audit function in the application.

But if and until Microsoft does fix this bug we realize you need to protect your organization and fulfill compliance requirements.

Coming soon: Targeted, Synchronous Mailbox Audit Log Collection

Our new edition of LOGbinder for Exchange due Q1 2016 will continue to maintain audit log integrity using least-privilege and minimal impact, and deliver the admin audit as well as mailbox audit logs with a new robust and stable technology to provide audit logs for high-priority mailboxes in near real-time!

Like our current version, you can specify groups or OUs of executives or other sensitive mailboxes, and LOGbinder will use synchronous mailbox audit log searches on those groups and/or OUs. (To understand why “synchronous” is so significant, watch the full edition of our webinar Detect and monitor threats to your executive mailboxes with Exchange mailbox auditing. Non-targeted mailbox audit logs that should also be monitored for non-owner access will be returned in 24 hours (if and when Microsoft fixes the bug).

The benefit is that your targeted mailboxes will get to your SIEM in minutes if not seconds! Click here to get the beta of the newest edition of LOGbinder for Exchange when it becomes available.

What You Can Do

Stay up-to-date and get the latest innovations from LOGbinder.

If you are already a LOGbinder for Exchange customer, the first thing you should do is download the latest version. This will ensure you get all the audits you should be getting to the SIEM, even if they are delayed 24 hours. Some organizations have reported that they have no issues with the 24-hour delay.

Register for a beta of the coming new edition of LOGbinder for Exchange that will deliver targeted mailbox audit using synchronous search and real-time log delivery.

Open a support case with Microsoft to let them know this bug is a problem for you and send us the case ID. LOGbinder is taking a proactive approach with Microsoft and the Exchange Server community to help solve this problem and your participation will be of great value to the process.

Join the discussion at http://forum.ultimatewindowssecurity.com/Forum1608-1.aspx.

Bookmark this page and check it often to see what news and updates there have been. We will keep you up-to-date with everything we know and are doing by adding news items to the top of the page (content will be in reverse date-order top-to-bottom).

Timely removal of the audit log from the monitored environment is absolutely critical. Thanks to a diligent customer’s incredible level of testing we discovered something that jeopardizes that timely removal of Exchange audit data. We think everybody should know about this topic so we are sponsoring, this week, a special webinar about Exchange mailbox auditing. Every security analyst and sysadmin of Exchange organizations should plan to attend in-person, or at least register to get the recording.

The background is that of course, without help, your SIEM can’t tell you that someone other than the CEO is reading his or her mailbox. This is a blind spot no SIEM can afford to ignore and so the solution is a programmatic means for retrieving and delivering those logs, LOGbinder for Exchange.

However, and this is the important part, LOGbinder’s support and development team investigated and reported what Microsoft later confirmed was a bug: the PowerShell cmdlet used for programmatic mailbox audit search has a flaw that produces inconsistent audit results if used to retrieve audit logs in less than 24 hours.

We informed Microsoft of our findings and they confirmed the bug after their own investigation. They also told us they had no timeline to fix the bug and suggested that users simply request audit logs some twenty-four hours after the event took place. We will continue to work with Microsoft on this issue and hope they do resolve it.

A delay of 24 hours is 24 hours too much. Added to that, the Exchange mailbox audit bug fix may be a long time in coming from Microsoft, if it ever does.

In last week’s webinar we showed you what we have done with LOGbinder to ensure complete audit results. And you will have an opportunity to register for a beta edition of LOGbinder for Exchange that offers a new feature to effectively remove the issue for high-priority mailboxes.

We urge you to view this special webinar Detect and monitor threats to your executive mailboxes with Exchange Server mailbox auditing. Click the links below to read the webinar abstract and to register for the recorded version and slide deck.

Click to register for the recorded version.

All registrations are free.

LOGbinder for Exchange 3.1 is now available. This new version of our Exchange audit solution introduces compatibility with Exchange 2016, including the translation of 55 new audit events. It also addresses the inconsistent results some have had in requesting mailbox audit data sooner than 24 hours. The new event list triggered an extensive effort to update our recommendations for Exchange audit rules and alerts so you can effectively track those new privileged operations.

Customers with current support and maintenance contracts will receive their update to the new LOGbinder for Exchange 3.1 at no additional charge.